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ABSTRACT 

This paper proposes a method for abstracting control sys- 
tems by timed game automata, and is aimed at obtaining 
automatic controUer synthesis. 

The proposed abstraction is based on partitioning the state 
space of a control system using positive and negative in- 
variant sets, generated by Lyapunov functions. This parti- 
tioning ensures that the vector field of the control system 
is transversal to the facets of the cells, which induces some 
desirable properties of the abstraction. To allow a rich class 
of control systems to be abstracted, the update maps of the 
timed game automaton are extended. 

Conditions on the partitioning of the state space and the 
control are set up to obtain sound abstractions. Finally, an 
example is provided to demonstrate the method applied to 
a control problem related to navigation. 

Categories and Subject Descriptors 

B.1.2 [Control Structures and Microprogramming]: 

Control Structure Performance Analysis and Design Aids — 
Automatic synthesis, Formal models; F.1.1 [Computation 
by Abstract Devices] : Models of Computation — Automata, 
Relations between models 

General Terms 

Theory 

Keywords 

Abstraction, Automatic controller synthesis, Timed game, 
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Controller design has been studied for many decades in the 
control community. In these studies, the primary objectives 
have been asymptotic stability and disturbance attenuation. 
This type of controller design is quite mature and can be 
used to synthesize controllers via, e.g., LMI-based method 
for linear systems. However, for nonlinear systems, design 
methods are limited and a considerable amount of manual 
labor is required in the controller design. 

Controller design has also been considered in the computer 
science community for, e.g., discrete event systems and timed 
game automata. The requirements for such a system are 
primarily based on reachability of the system and temporal 
properties of the system. Especially, the timing require- 
ments used in computer science are very different from re- 
quirements known in control theory, as these are defined for 
a finite time horizon; whereas, control theory is concerned 
with convergence, i.e., system properties when time goes to 
infinity. Fully automated tools have been developed for con- 
troller synthesis of discrete event systems and timed game 
automata. These are based on formal verification methods; 
therefore, the designed controllers are correct-by-design, i.e., 
the closed-loop control system is guaranteed to comply with 
the specification. This, in principle, eliminates the need for 
simulating the closed-loop control systems to perform fur- 
ther verification. 

The goal of this paper is to abstract control systems by an 
automata-based model, and thereby allow automatic con- 
troller synthesis. In this way we are able to specify require- 
ments in terms of Timed Computation Tree Logic (TCTL) 
specifications Ij^; hence, requirements to reachability and 
timing can be added to the usual stability requirement. 

Methods for synthesizing controllers for this kind of specifi- 
cation have been proposed in the computer science commu- 
nity for timed game automata For games the controller 
is called a strategy, and it decides among the possible choices 
in the game. The strategy can be automatically synthesized 
using tools such as UPPAAL Tiga [i] . 

Methods from formal verification have already been adopted 
in control theory for controller design in [9]. Here the con- 
troller is synthesized to avoid certain unsafe states. For this 
purpose, a concept of approximate bisimulation, a relaxation 
of exact bisimulation, has been introduced. This is further 
demonstrated in where a robot is controlled to avoid 
some obstacles using a temporal logic specification. How- 



ever, the generation of the models used for the synthesis 
procedure of these methods is based on simulating the sys- 
tem, which makes the method computationally demanding. 

Methods for discretized models also exist, where solutions 
to the system equations are not utilized. One such method 
is presented in [l^ , where the principle of control to facet is 
utilized to synthesize a control strategy. 

In this paper, we abstract control systems by timed game au- 
tomata with an extended update map, and use ideas similar 
to the bisimulation functions used in [9] in the abstraction 
procedure. However, the method does not require solutions 
to the system equations and is therefore not as computation- 
ally expensive. The work is an extension of the abstraction 
procedure presented in [Ts], which applies for autonomous 
systems. This abstraction of dynamical systems by timed 
automata is based on partitioning the state space using Lya- 
punov functions. The intersections of sub-level sets of Lya- 
punov functions are used to form the cells that discretize 
the state space. This makes the problem of synthesizing a 
control strategy similar to control to facet, as the cells are 
generated using intersections of invariant sets. We provide 
a method for the design of switched controllers. The main 
result of the paper is Theorem [T] which states sufficient and 
necessary conditions for sound abstractions by timed game 
automata. Since we abstract the control systems by timed 
game automata with a modified update map, the synthesis 
procedure cannot yet be accomplished using existing tools. 

This paper is organized as follows: Section [2] contains pre- 
liminary definitions used throughout the paper, Section [3] 
explains the partitioning of the state space and the control, 
and Section |4] describes how a timed game is generated from 
the partition. In Section [5] conditions for soundness are set 
up, Section [6] provides an example, and Section [7] comprises 
conclusions. 

1.1 Notation 

The set {1, . . . , fc} is denoted k. is the set of maps A — )■ 
B, C(R",R'") is the set of continuous maps -)■ R'". 
The power set of A is denoted 2'*. Given a vector a G R", 
a(j) denotes the j**" coordinate of a. Given a set A, the 
cardinality of the set is denoted \A\. Consider the Euclidean 
space (R",(,)), where (,) is the scalar product. The state 
space is a connected subset X C R" such that there exists 
an open set U such that c\{U) — X. Whenever / : X — > R 
is a function and a G R, we write f~^{a) to shorten the 
notation of 

2. PRELIMINARIES 

The purpose of this section is to provide definitions related 
to control systems and timed game automata. 

A control system F = {X,U,f) has state space X C R", 
input space U C R™, and dynamics described by ordinary 
differential equations f : X x U ^ R" 

± = f{x,u). (1) 

The input it, is controlled via a continuous map g : X U. 

The system F = {X, U, f) with the control g is denoted 



= {X,fg), where 

i = fa{x) = f{x,g{x)). 



(2) 



We assume that fg is locally Lipschitz and has linear growth, 
then there exists a unique solution of ([2| on (—00,00) [s]. 

The solution of ([2|, from an initial state xo G Xq C X at 
time t > is described by the flow function (pTg '■ [0, e] x X — >■ 
X, e > satisfying 



-j^ = fs (0rg(t,a;o)) 



(3) 



for all t > 0. 



Lyapunov functions are utilized in stability theory and are 
defined in the following [12| . 

Definition 1 (Lyapunov Function). Let X be an 
open connected subset of R". Suppose fg : X R" is 
continuous and let Cr(/g) be the set of critical points of fg. 
Then a real non- degenerate differentiable function (p : X 
R is said to be a Lyapunov function for fg if 



p is a critical point of /g <4> p is a critical point of ip 

dtp 



V5g(x)=0 Va;GCr(/g) 
^g{x)^0 Wx€X\Crifg) 



(4a) 

(4b) 
(4c) 



and there exists a > and an open neighborhood of each 
critical point p G Cr(/g), where 

|2 



\^g{^)\\ > alia; -pil 



(5) 



Remark 1. We only require the vector field to be transver- 
sal to the level curves of a Lyapunov function ip, i.e., tpgix) = 
{'Vtpg{x), fg{x)) 7^ for all x G X\Cr(/g), and does not use 
Lyapunov functions in the usual sense, where the existence 
of a Lyapunov function implies stability, but uses a more 
general notion from 



To simplify the notation, we use subscript g on (pg to indicate 
that the control g is applied in the calculation of ipg . 

Definition 2 (Reachable set of Dyn. System). 
The reachable set of a dynamical system Fg from a set of 
initial states Xq (Z X on the time interval [ti , t2] is defined 
as 

Reach[ij_t2](Fg,Xo) = {x e X\3t G [ti,t2], Jxo G Xq 

such that X — (j>rg{t,xo)}. (6) 

The control system will be abstracted by a timed game au- 
tomaton, which is an extension of a timed automaton 
In the definition of a timed automaton, a set of diagonal- 
free clock constraints ^'(C) is used for the set C of clocks. 
\['(C) is defined as the set of constraints -0 described by the 
following grammar: 



tp ::= c >ci k\^i A i/'2, where 

c£C,k£ R>o, and MG {<, <, =, >, >}. 



(7) 



Note that the clock constraint k should usually be an inte- 
ger, but in this paper no effort is done to convert the clock 
constraints into integers. Furthermore, the elements of 1X1 
are bold to indicate that they are syntactic operations. 

Definitions (Timed Automaton). A timed automa- 
ton, A, is a tuple {E, Eq, Cj'E, I , A) , where 



• E is a finite set of locations, and Eq Q E is the set of 
initial locations. 

• C IS a finite set of clocks. 

• E is the set of actions. 

• I : E ^ ^[C) assigns invariants to locations. 

• A (1 Ex *(C) X E X 2"-^ X i? is o finite set of transition 
relations. The transition relations provide edges be- 
tween locations as tuples (e, G^^e' , o", -Re->e' i e')i where 
e IS the source location, e' is the destination location, 
G^^^i G '^{C) is the guard set, a is an action in E, 
and Re^e' G S'^ is the set of clocks to he reset. 



The semantics of a timed automaton is defined in the fol- 
lowing, adopting the notion of [t]. 

Definition 4 (Clock Valuation). A clock valuation 
on a set of clocks C is a mapping w : C — ^ IR>o. The initial 
valuation vq is given by vo{c) = for all c £ C. For a 
valuation v, t G lR,>o, and R C , the valuations v -\- 1 and 
v[R] are defined as follows 



(u4-t)(c) = v{c)-^t, 



4i?](c) = 







for c G R, 



v{c) otherwise. 



(8a) 
(8b) 



We see that ( |8a[ ) is used to progress time and that ( |8b[ ) is 
used to reset the clocks in R to zero. 



Definition 5 (Semantics of Clock Constraint). 
A clock constraint in 'I'(C) is a set of clock valuations {v : 
C — >■ E.>o} given by 

|cxi fc] = {u : C -> R>olu(c) XI fc} (9a) 

IV'iAV2l = MnM. (9b) 

For convenience we denote v £ Jt/j] by « \= ij^. 

Definition 6 (Semantics of Timed Automaton). 
The semantics of a timed automaton A = {E, Eo,C, E, 7, A) 
is a transition system ^Aj — {S, So, E UR>o, To- UTt), where 

S = {{e,v) e Ex Rfo|i) l=/(e)} 
5*0 = {(e,u) G -Eo X vo} 

Ta ={{e,v) A (e',u')|3(e, Ge^e',o-, -Re-i.e',e') G A : 

V 1= Ge^e', v' = v[Re^e>]} 
Tt^{{e,v) 4 {e,v + t)\\ft' G [0,t] -.v + t' j= /(e)}. 



Analog to the solution of ([2|, shown in ([3|, is a run of a 
timed automaton. 



Definition 7 (Run of Timed Automaton). A run 
of a timed automaton A is a possibly infinite sequence of al- 
ternations between time steps and discrete steps on the fol- 
lowing form 



QA ■■ {eo,vo) (eo,-ui) {ei,V2) 



(10) 



which is a path in where ti G lR>o and G E. The 

multifunction describing the runs of a timed automaton (f)A ■ 
IR>o X i?o — >■ 2^, is defined by e € (j)A{t,eo) if and only if 
there exists a path in ^Aj initialized in {eQ,vo) that reaches 
the location e at time t — "^^i ti- 



From the run of a timed automaton, 
defined below. 



the reachable set is 



Definition 8 (Reachable set of Timed Auto.). 
The reachable set of a timed automaton A, with initial loca- 
tions Eo, in the time interval [ti,t2] is defined as 

Reach[tj,t2](^,So) = {e G E\3t G [ti,t2],3eo G Eo 

such that e G </'.4(/:, eo)}. (11) 

A timed game automaton is closely related to a timed auto- 
maton as shown in the following [s]. 

Definition 9 (Timed Game Automaton). A timed 
game automaton is a tuple Q — {E, Eq, C, Ec, Eu, /, A), 
where the tuple {E, Eo, C, Ec U Eu, /, A) is a timed automa- 
ton. The set Ec contains controllable actions (system inputs) 
and the set Eu contains uncontrollable actions (system out- 
puts). 

Actions that can be affected by a strategy, see Definition |lH 
are controllable actions. However, transitions labeled with 
uncontrollable actions can happen whenever an adversary 
(the environment) chooses to take them and the associated 
guards are satisfied. In this setting, the input actions are 
equivalent to changing the control g{x), and the output ac- 
tions are observations, i.e., they resemble information about 
the state of the system. 



Example 1. Consider the timed game automaton shown 
in Figure [7] having four locations and one clock. It is ini- 
tialized in location ei and the aim is to reach location 63. 
Initially, an uncontrollable action can enable a transition to 
62, when the guard c > 1 is satisfied. After reaching e^, the 
game is guaranteed to reach location 63 if the controllable 
action CTc happens when c < 1 . Otherwise a transition to e^ 
may occur. 



Analog to the controller g{x), a strategy is defined in the 
following. Let us first define continuation of a run. 



Definition 10 
(eoj-i^o) ->■■■->■ 



(Continuation of a Run). Let q = 
(efe,Wfe) be a run. Then a continuation 




Figure 1: Timed game automaton with four loca- 
tions, where the solid line represents a transition 
with a controllable action and the dashed lines rep- 
resent transitions with uncontrollable actions. 

of the run g is the run g' = (eo,«o) —>■■■—>■ (efc,Ufe) — )■ 
(efc+i, Hfe+i), denoted g = g ^ {ek+i,Vk+i). 

Definition 11 (Strategy). Let Q ^ {E,Eo,C,T,c, 
Su,/,A) be a timed game automaton. Then any map k, : 
S'^ — > Ec U {5}, where S'^ is the set of all runs and 5 ^ 
Ec U Eu, which satisfies the following two conditions: 

1. if ii{g) — 5, then g A (e^, vu + t) is a path in \Q\ for 
some t > Q, and 

2. if K,{g) = a, then g (ej., is a path in IGJ, 

for any run g — (eo, vo) (e^, Vk), is called a strat- 

egy- 

We see that the controller can either do nothing {n{g) = S) 
or execute a controllable action {fi{g) = a). Furthermore, 
we see that a strategy may depend on the entire past of 
the run. However, we are only interested in so-called mem- 
oryless strategies, i.e., strategies that only depend on the 
current state of the timed game automaton. This implies 

that ii g ^ (60,1^0) ^ {ei,vi) {ek,Vk) and g' = 

{eo,vo) -X {e'i,v'i) ■ ■ ■ (efe,«fc), then ii{g) = K.{g'). In 
addition to being memoryless, we require the strategy to be 

independent of the clock valuations, i.e., ii g = {eo,vo) -V 

{ek,Vk) and g' = (eo,uo) ^ {e'i,v[) • ■ • (efe,^^), 
then Hi{g) = K{g'). A closed-loop system satisfying these 
properties can be implemented as a parallel composition of 
a timed automaton and an automaton. 

Definition 12. Consider the timed game automaton Q 
and the strategy k, which only depends on the locations. 
Then Q^. is the timed automaton controlled using the strategy 

K. 

3. GENERATION OF FINITE PARTITION 

The presented abstraction is based on partitioning the state 
space and the control of F = {X, U, /). The partitioning of 
the state space is inspired by the partitioning presented in 
[13| . However, in contrast to [l3], the considered system has 
an unknown control of u, as stated in |T]). 

It is proposed to partition the state space by intersecting 
slices defined as the set-difference of positive and negative 



invariant sets. This implies that the partition should be con- 
ducted such that for each admissible control g^{x) the vector 
field of the controlled system F^; — {X,fgi) is transversal 
to the boundaries of the slices. The admissible controls are 
defined to be the finite set Ku ~ {g^{x)\i G A}, where A is 
some index set. For simplicity, the controls in Ku have do- 
main X. However, this simplification can easily be relaxed. 

Definition 13 (Slice). A nonempty set S is a slice if 
it is a union of cells and there exist two sets A and B that 
are positive or negative invariant such that 

1. B is a proper subset of A, i.e., B d A. 

2. Given any g G Ku , A and B are either positive or 
negative invariant sets for system Tg — {X, fg), and 

3. S^c\{A\B). 

From this definition, we see that for a given partition, only 
controls that make the vector field of the closed-loop system 
transversal to the boundaries of the slices are allowed. 

To devise a partition of a state space, we need to define 
collections of slices, called slice-families. 

Definition 14 (Slice- Family). A slice-family S is a 
collection of slices generated by the positive and negative in- 
variant open sets Ai G A2 d ■ ■ ■ <Z Ak covering the entire 
state space ofT, thereby S\ = Ai, S2 = cl(yl2\^i), ■ ■ ■ ,Sk = 
c\{Ak\Ak-i) and X C Ak. For convenience \S\ is defined 
to be the cardinality of the slice-family S, thus S = {Si, . . . , 
Sisi}. Furthermore, we say that S is generated by the sets 
{Ai\i e k}. 

A function is associated to each slice-family <S, to provide 
an easy way of describing the boundary of a slice. Such 
functions are called partitioning functions. 

Definition 15 (Partitioning Function). LetS be a 
slice-family, then a continuous function if : R" — >■ R smooth 
on R"\{0} is a partitioning function associated to S if for 
any set At generating S there exists ai,a'i £ RU {—00,00} 
such that 

V9-'([aU.]) = A. (12) 

and ai,a'i are regular values of ip. By regular level set theo- 
rem, the boundary (p~^{ai) of Ai is a smooth manifold 

In the remainder of the paper, we associate to each slice- 
family 5' a partitioning function ip'' . 

The partition of the state space is associated with cells that 
are generated by intersecting slices. 

Definition 16. We say that slices Si and S2 intersect 
each other transversally and write 

51 rti 52 = Si nSa, (13) 

if their boundaries, bd(S'i) andhA[S2), intersect each other 
transversally. 



Definition 17 (Extended Cell). Let {S^\i G fe} be 
a collection ofk slice-families and define y — {1, . . . , |5^|} x 
■ • ■ X {1, . . . , |5'''|}. Denote the slice tn 5' by S] and let 
y ey. Then 

Any nonempty set eax,y will be called an extended cell. These 
cells are denoted extended cells, since the transversal inter- 
section of slices may form multiple disjoint sets. 
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Figure 2: Vector field of ( |17[ ), illustrated with blue 
arrows, with three different controls applied to the 
system. 



Definition 18 (Cell). A cell is a connected compo- 
nent of an extended cell 



Z 



where 



Vz 7^ z . 



(15a) 
(15b) 



We say that the slices , • ■ • , generate the cell. In the 
remainder of the paper, we denote the slice from the i**^ 
slice- family generating e by S'e- 



Proposition 1 (Proof in [m]). //Si rti 52 / then 
int(Si n Sa) / 0. (16) 



A finite partition of the state space based on the transversal 
intersection of slices is defined in the following. 



Definition 19 (Finite Partition of State Space). 
Let S be a collection of slice- families, S — {5'ji £ fe}. Then 
the finite partition Kx(S) is defined to be the collection of 
all cells generated by S according to Definition\18\ 



Finally, the product of Kx{S) and Ku is defined to be the 
partition of F given by K{S) = Kx{S) x Ku. 

The following example clarifies how the partitioning is con- 
ducted. 



Example 2. Consider the one- dimensional system with 
one control input and state space X = [—3, 3] C R 



X = —X -\- u. 



(17) 



The partition of its state space is conducted using the sets 
Ai = [—1,1] and A2 = [—3,3], i.e., we obtain the cells: 
[-3,-1], [—1,1], [1,3]. The control of the system should 
also be partitioned, which is chosen to Ku = {0,1.5,2a;}. 
Figure^ shows a partition associated with ( |17[ ). 

From the figure it is seen that the direction of the vector 
field can be reversed completely or partly according to the 
input applied to the system. Furthermore, the two sets Ai — 
[—1,1] and A2 ~ [—3,3] are positive or negative invariant 
sets for all controls in Ku . 



4. GENERATION OF TIMED GAME FROM 
FINITE PARTITION 

To abstract a control system F by a timed game automaton 
Q, we modify the abstraction procedure presented in [13| , 
by adding the distinction between controllable and uncon- 
trollable actions according to Definition [9] Furthermore, we 
extend the expressiveness of the update maps of the timed 
game, to allow more accurate abstractions. First, an exam- 
ple is provided to illustrate the principle of the abstraction, 
then the abstraction procedure is presented. 

The possibility to change the control input increases the 
number of locations and adds the possibility to infiuence 
the trajectories of the system, as shown in the following 
example. 

Example 3. Consider a one- dimensional system from 
Example^ where X = [—3, 3] and 

X = —X + u. (18) 

The state space X is partitioned into three cells, i.e., Kx = 
{[—3, —1], [—1, 1], [1, 3]} and the controls are in Ku = {0, 1.5, 
2x}. All controls can be applied in all cells, i.e., the gen- 
erated game has 9 locations (Kx x Ku )■ A timed game 
abstracting this system is illustrated m Figure^ where the 
execution of the controllable action al resembles applying the 
control u — g^{x) m the dynamical system. 

















/ \ 










Figure 3: Illustration of a timed game automaton, 
where three different controls can be applied to the 
system. 



Before providing the procedure for generating a timed game 
automaton, the clock valuation is redefined, as a more ex- 
pressive update map is used in order to abstract the systems. 



Furthermore, we define the clock valuation on pairs of clocks 
as the abstraction uses pairs of clocks to monitor the fastest 
respectively slowest progress in each direction. 

Definition 20 (Extended Clock Valuation). 
Denote the pair of clocks {c\,c\) by c% and let C = {c*|i G 
fc} . Then a clock valuation on a set of clocks C is a mapping 
u : C — >■ R>o- The initial valuation vo is given by Vo{c) — 
(0, 0) for all c £ C. For a valuation v, t £ R>o, and R C, 
the valuations v + t and v[R] on a pair of clocks c are 

{v + t){c)^vic)+(^^t, (19a) 

v[R]{c) ^ a + I3v{c) ior c € R (19b) 
where a G and 13 is a 2 x 2 matrix with rational entries. 

Note that resetting a pair of clocks is just a special case 
of ( |19b[ ), where a = (0,0) and all entries of /3 are zero. 
Furthermore, the valuation of one clock, denote v{ci) or 
«(c2), is also used in the following, when appropriate. 

In the following, a procedure is presented for generating a 
timed game automaton from a finite partition. 

Procedure 1. Given a partition K{S), the timed game 
automaton Q = (i5, _Eo, C*, Sc, Eu, /, A) is generated using 
the following 

• Locations: Let the locations of Q be given by 

E = Kx(S)xKu. (20) 

We use the notation e(^y^z,j) = {&(y,z),g'') & E. This 
means that a location e^y^^j) is associated with the cell 
&(y z) of the partition Kx{S) and the control g-' (x) in 
Ku. 

• Clocks: Given k slice- families, the number of clocks is 
2k, i.e., C = {c'|i G k}. The pair of clocks = (cl, Cj) 
monitors the maximum and minimum time for being 
in slices of the slice-family 5' . 

• Invariants: In each location e G E, there are up to k 
invariants. The invariants for location e(^y^2,j) specify 
upper bounds on the time for staying in the k slices 
generating the cell ej^^^) with a control g-' applied in 
^(y,z) ■ We say that a cell ejj^^^j is generated by the 
slices {Sy. |i G fc} and in addition we say that a location 
e{y,z,j) is generated by {S^^y. y.-^\i G fc} and use the 
shorthand notation SI = S'^^y. g.-^ for convenience. We 
impose an invariant whenever there is an upper bound 
on the time for staying in a slice generating the cell e 



• Uncontrollable Actions: The uncontrollable actions 
Eu are actions ai, . . . , aj, where tJu is associated with 
transitions between slices of the i"' slice-family 5* = 

{S'l, . . . , S'_5i|}. 

• Transition relations: If a pair of locations, e and 
e' , where the control g{x) is applied m both e and e' , 
satisfy the following two conditions 

1. e and e! are adjacent cells in the state space, i.e., 
e n e' 7^ 0, with S\ 7^ 5*^/ for some i £ k. Hence, 
e and e' are generated from different slices in 5*, 
and 

2. ifi'ix') < ip'{x)yx G e and^x' G e' and ipl{x) < 
Va; G ene' or ip\x') > ip^{x)\/x G e and\/x' G e' 
and (a;) > Va:: G e n e' . 

Then there is a transition relation 



*^e— >e' — i^: Ge^e' : Ryi,e—^e' : ^ ) (22a) 



where 



= C2 > tgi 



(22b) 
(22c) 



andtgi G K,>o is a lower bound on the time for staying 
m SI and v[R^^^^^i] is defined in { 19b I with a = (0, 0) 



and all entries of P equal to zero. Note that ajj is the 
action on the transition 5e-»e', Ois e and e! are gener- 
ated using different slices from the i**" slice-family. 

At each location e, where the control g-' (x) is applied, 
the following transitions are defined for all i G {1, . . . , 
\Ku\}\{j} 



e—i-e' 1^)1 



(23a) 



where the control [x) is applied in e' and 



Ge-*^' = {c > 0|c G {cali G fc}} (23b) 

Rce^e' = C. (23c) 

Note that there are no active guard conditions and that 
the exact values of a,j3 are provided in Theorem^in 
Section^to obtain soundness of the abstraction. 

For convenience the following notion is introduced. 



Definition 21. Let S be a collection of slice- families, 
i.e., S = G fc}. Then G (S) is the timed game au- 

tomaton generated by K{S) according to Procedure^ 



7(e) = /\c\< ts 



(21) 



where tgi G R>o is an upper bound on the time for 
staying in SI. 

• Controllable Actions: The controllable actions Ec 
are actions a^, . . . , al^" ' , where al is associated with 
applying the control g-' (x) to the dynamical system. 



Remark 2. Nonetheless, the locations ofQiS) are associ- 
ated with cells of Kx(S), we will also utilize the timed game 
automaton Sox (5) with locations associated to extended cells, 
i.e., (recall the definition of y from Definitional^ 



E = {ecx.aly ey}x Ku 



(24) 



The other steps of Procedure^are identical for the two timed 
game automata G{S) and GcxiS). 



5. PROPERTIES OF THE ABSTRACTION 

The purpose of this section is to derive conditions for the 
partitions of the state space and control, and the conditions 
for the update maps under which an abstraction is sound. 

To derive properties of the closed-loop system, we need a 
notion of controlled system, similar to Qk from Definition|12[ 



Definition 22. Let the control system F = {X, U, f) be 
controlled using the strategy k be denoted r„ . Then the dy- 
namics of r„ is given by 

X = f{x,g{x)) where (25a) 
g{x) = g^{x)Wx G Cj iff K{ej) = a^. (25b) 



Remark 3. We assume that Filippov solutions do not oc- 
cur, as the implementation of the timed automaton is based 
on integers m the guards and invariants. For more details 
about the problems that can occur when having Filippov so- 
lutions, see 



A useful abstraction preserves safety. Therefore, the follow- 
ing IS defined [2]. 



Definition 23 (Sound Abstraction). Let T = {X, 
U, f ) be a control system and suppose its state space X is 
partitioned by Kx{S) = {e,;ji G fc} and its control is par- 
titioned by Ku- Let the initial states be Xq = Uigi^i, 
with X C fe. Then a timed game automaton G = {E — 
Kx X _K'c/,£'o,C, Ec,Eu,/, A) with E = Kx{S) x Ku and 
So = {eiji G 1} X Ku is said to be a sound abstraction ofT 
on [ti,t2] ifyt G [ti,f2] and any strategy k 

Ci n Reach[t,t] (r„, Xo) / imphes (26a) 
3eo G Eo such that 

e,e(j)g^{t,eo). (26b) 

Note that the systems apply the same control at all time, as 
they follow the same strategy. 



If a sound abstraction Q is safe for some strategy k then F 
is also safe for the same strategy, as Qk reaches all locations 
reached by T^- 



Definition 24 (Complete Abstraction). LetT be a 
control system and suppose its state space X is partitioned 
by Kx{S) — {ei\i G fc} and its control is partitioned by 
Ku and let the initial states be Xq = Uigi^j; with I C fc. 
Then a timed game automaton Q = (_E, _Eo, C, Sc, Su, 7, A) 
with E — Kx{S) X Ku and Eo — {ei\i € 1} x Ku is said 
to be a complete abstraction of T on [ti , ti] if it is a sound 
abstraction and\ft G [ti,t2], any k, and 

for each a G Reach[t tj (C/^, iSo) (27a) 
3xo G Xo such that 

9!)rJt,a;o) e e,. (27b) 



A complete abstraction Qk is safe (unsafe) if and only if r„ 
is also safe (unsafe). 

This next proposition follows directly from Proposition 6 in 

m- 

Proposition 2. A timed game automaton Qcx{S) = 
Qi{S^)\\ . . . \\Qk{S'^), with locations abstracting extended cells, 
is a sound (complete) abstraction of the control system T if 
and only ifQi{S^), . . . , Qk{S^) are sound (complete) abstrac- 
tions of V . 

Let 5 be a slice family. We say that a control g is an admis- 
sible control if for each slice S & S we have either ipg (x) > 
for all X G S'\Cr(/9) or ^g{x) < for all x G 5\Cr(/g). We 
introduce the notation (^g > on S if and only if ipg (x) > 
for some, thus, for all x G S\Cr(fg). 

Lemma 1. Let S be a slice family on R", and if be a 
partitioning function associated to S. Let {tj G lR>o| j G 
fc U {0}} be a sequence of nondecreasing real numbers, and 
{gj : — >■ R"| j £ k} be a sequence of controls, where gj 
is applied for t G [tj-i,tj]. 

Suppose S £ S. For convenience, let tp = mi{\ipgAx)\ G 
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R>olx G 5"}, = sup{\ipg-{x)\ G R>o|2; G S}, Ak{t) = 
t - tk-i, J+ = {j G k\ipg. > 0}, and J~ = k\J+ . 



If for all j £ k 

Reach[t^._j,t^j(rgj,a;j_i) C S 
then for all t £ [tk-i,tk] 



(28) 



-Sj 

jeJ+\{fc} jsJ-\{fc} 
'Ak{t)ip^ if vis, > 



-^k{t)<^ if vig, <0 



fe-i 



Vg,{(t>T {Aj{T),Xj-i))dr 



/ V59fc(0r<,JAfe(r),a;fc_i))dT 

Jt,._, 



+ 



j£J+\{k} jeJ-\{k} 
Afc(t)^g, if vis, > 

-Ak{t)ip ififg, < 



9j 



(29) 



Note that x, = <^r„, {Aj{tj), Xj^i). 



Proof. The inequalities in (29 1 are the consequence of 

V>g < 'figj (x) and ipg^ > tpg. [x) for aU x £ S. □ 

The principle of the lemma is illustrated in Figure |4] where 
Vp(0r(Aj(r), a;j_i)) for j = 1,...,4 (black line) is plotted 
together with the upper approximation (red) and lower ap- 
proximation (blue). It is seen that the inaccuracy of the 
approximation increases with time. 




'i „ ,, h h fi 

A,(fi) A^lij)^™"!"! A3(f;,) A,(f„) 



Figure 4: The value of the Lyapunov function evalu- 
ated along a solution curve (black) and an upper ap- 
proximation (red) and a lower approximation (blue) 
of it. 



We use Lemma [T] to set up invariants and guards for the 
solution to stay in a slice S. Suppose ip~^{[l, 3]) in Figure|4] 
is a slice, then Corollary determines the time, when the red 
and blue lines intersect and ip~^{3). 



i.e., for some t £ [tk-i,tk] 
k-i ,.t, 

/ Vi9j(0r,^. (A^(r),a;j_i))dr 

+ f <^9.Wr,,(Afc(r),a;fc_i))dT = Aa. (34) 

If (fig^ < 0, the solution leaves the slice when ^Pgj, ( A^ (t) , 
Xk-i) € ip~^{ah-i) for some t € [tk-i,ti,], i.e., for some 
t G [tk-i,tk] 

/ '^gj(0rg^(Aj(r),Xj_i))dT 

+ / ^9.(0r,JAfc(r),a;fc_i))dr = O. (35) 

This provides the right hand sides of ( |30[ )-(|33|. However, 
note that < (>) also changes to > (<), which is due to the 
changing direction of (pg^ . □ 



Corollary 1. Let S be a slice family on R", and if be 
a partitioning function associated to S. Suppose 5 G 5 and 
S = if^ {[ah~i,ah]), and define Aa = an —■ ah~i- Further- 
more, assume that xo G (a^-i) and that ipg-^ > 0. Then 
from ( |29[ ) it follows that for all t G with k G J"*", 

an invariant for the solution to stay in the slice S is 

J2 A,(t,)^^^- ^Atj)Vg,+^k{t)±^^<Aa. 
jeJ+\{k} ' j^.j-\{k) 

(30) 

This implies that if inequality ( |30| l is violated, then <i>Tg^ {t — 

tk-i,Xk-i) ^ S. Similarly, for all t £ [tk-i,tk], with k € 
a guard for the solution to stay in the slice is 



Y ^^fe)^ 



Y ^j{tj)^„.+^k{t)ipg^>Aa. 



jeJ+\{k) 



je.J-\{k) 



(31) 



This implies that if ( |31[ l is violated, then (j>rg {t—tk-i, Xk-i) 
G S. 

Additionally, for all t G [tk~i,tk], with k G J an invariant 
for the solution to stay in the slice is 

Y ^Ahypg^- Y ^Atj)±^.-^km^^>Q. 



jej+\{fc} 



jej-\{fc} 



(32) 



Finally, for all t G [tk-i,tk\, with k £ J a guard for the 
solution to stay in the slice is 

Y ^j-feo^g - Y ^Atj)^3,-^kmg^<o. 



jej+\{k} 



(33) 



The corollary provides guard and invariant conditions, which 
give the minimum and maximum time a trajectory stays 
within a slice for a given sequence of controls. 

A sufficient and necessary condition for soundness of an ab- 
straction is formulated in the following. To stress that the 
control is of importance, we denote SI, used in (pT| and 



(22bf, by 



Theorem 1. A timed game automaton G{S) — {E, Eq, C, 
Ec, Su, J, A) IS a sound abstraction of the control system T, 
if and only if its invariants and guards are given by (21 1 and 
(|22bl), where for each y € y and g G Ku 



^»..s) ~ sup{i(^^(a;)| G R>o|a; G SjJ 
^(H.,s) ~ inf{|v3^(a;)| G R>o|3:: G 5jJ 



(36a) 



(36b) 



and ipgix) is defined as shown in (4a I. The update map for 
transitions relations associated with controllable actions, see 



(23c I, between two locations e and e! with control g respec- 



tively g' is 



v\R. 



■c , e — > e ' 



(yi,9) 





(yi>9 ) 
{yi>9 ), 





iVj -9 ) 

iyi,9) 





U(C') if <Pg<fig' > 



{vj ,9') 



v(c') otherwise. 



(37) 



Proof. Note that if ipg^, > 0, the solution leaves the slice 
at some t G [tk-i,tk] when (j)rg.{t — tk-i,Xk-i) G (p~^{ah), 



Proof. In this proof, we show by induction that the in- 
variants and guards imposed on the clocks of C/ (5) generated 



using Theorem [T] where 



-^lv^,a) sup{\ifii{x)\ e R>o\x G SiJ 



^^lvi,a) inf{| 



(38a) 
(38b) 



are equivalent to the guards and invariants given by Corol- 
lary [l] As Corollary [l] gives conditions for a sound approxi- 
mation this will prove the theorem. 

Recall that SJ. = ((^')~-^([a^._i, a^.]), where aj,;_i < a^. 
and Aa = a^. — ay._i. Assume that xo G {ip'')~^ {ay._i), 
ifl-^ > 0, and wo(c*) = (0,0). Note that the valuation of the 
clocks are assumed to be zero, as xq is on the boundary of 
the considered slice. 

First, we show that the invariants of Corollary [l] and Theo- 
rem [l] are the same for all t G [to,ii]; secondly, we assume 
they are the same for all t G [tk-i,tk]- Finally, we show that 
they are the same for all t G [tk,tk+i]- 

Base case: We show that for t G [tQ,ti] the guards and 
invariants in (|30[)-(33|, shown in | |39[ ) for the considered case, 
are equivalent to the guard and invariant generated by using 



Theorem[T] From (30l-(33l we know that for all t G [fo,ii] 



{t - to)'fig^ < Aa <4> (f - to) < tfli 
{t - to)^3, >Aa^(t- to) > . 



(39a) 
(39b) 



The invariants and guards of the abstraction are c\ < tg^ 
and cl > where the clock valuations for all t G [to, ti] are 



v{c\) < tg, <^ vo{ci) + it-to)< tg, (40a) 
"(4) > ^ vo{cl) + it- to) > ty^ . (40b) 



It is seen that (391 and (401 are equivalent, asiio(c') ~ (0,0). 



Inductive step: Assume that the guards and invariants of 
Theorem [T] are equivalent to the guards and invariants de- 
rived from Corollary [l] for all t G [tk-i,tk] and that k G 



V{C\) < tg^ ^ 

jej+\{k} 
v{cl) > ty^ ^ 
jej+\{fc} 



■3j 



Sj 



' ^jitj)Vg^+^km^^<Aa 

jej-\{k} 

(41a) 



- ^Atj)'lg^+^k{t)^g,> '^<1 

jeJ-\{k} 



(41b) 



and if fc G J , then 

t'(cl) < tg^ 



9j 



jej+\{k} 



Y ^ji'tj)^ 
j<ij+\{k) 



- Y ^At,)^g^~^k{t)±^^>0 

jej-\{fc} 

(42a) 



3eJ-\{k} 

(42b) 



Now we show that the guards and invariants imposed by 
Theorem [l] are still equivalent to those of Corollary [l] at 
j — k + 1. To shorten the proof, we only show this in two of 
the possible cases { (fg^ifig^^^ > and tpg^ > , vigfe'/'gfc+i > 
and ifig^ < 0, ygfeV^gfe+i < and ipg^ > , V's^V'sfc+i < 
and <pg^^ < 0). 

Assume that '^gk'Pgk+±_> and ipgi, > 0. Then the invariant 
assumed in Theorem IT] becomes for all t G [tk,tk+i] 



9k + l 



'-^Vk{c\)+Ak{t)<tg,^^ 



-Vk{c\)+Ak{t)<tg,^, 



(43a) 
(43b) 



■Sk + l 



We use ( |41a[ | to obtain Vk{ci) by dividing the inequality by 
Vk(cl)=Y ) =^ - E (*^- ) — (44) 

^ — ^ in ^ — ^ (n 

jeJ+ —9k jeJ- —9k 

Inserting (1 441) into (|43b| and multiplying it by ih yields 

' ' ' ' — Sfe + l 



for all t G \tk,tk+i\ (Note that Aa = tg^^-^^ip 



■9k + l 



This equals (41a I for j = k + 1 



Now assume that 'figf.'Pgf.^i < and ifg^ > 0. The guard 
generated by the assumption of Theorem [l] becomes for all 
t G [tk,tk+i] 



t„ 



t„ 



-9k + l 



-9k + l I 



9k 



Vk{c\) + Akit)>ty^^^ (46a) 



^-^Vk{c\) + Ak{t)>t 

^9k + l ^9k + l 



(46b) 



We use ( |41a| l to obtain Vkic\) by dividing the inequality by 



Vk 



(ci) = Y ^^fe 



V- AV.,^^s. (47) 



Y ^^(*^) 



—9k jeJ- 

Inserting ( |47[ ) into ( |46b[ | and multiplying it with V'g^^-^ yields 



for all t G [tk,tk+i\ (Note that Aa = tg^^^^Vg^^^^) 



Aa- A,{t,)^^ + Aj{t,)ip^^+,p^^^^Ak{t) > Ac 



Sa 



^^^^g, ^ 2^ ^Atj)Vg^ - H^3^+,Ak[t) < (48b) 
jsJ+ jeJ- 



This equals (42b I for j = A; + 1. □ 



Remark 4. The theorem provides the closest possible 
sound abstraction using only functions with constant deriva- 
tives, when ( 38 1 is satisfied. This follows from Figure ^ 



where it is seen that the lower and upper approximations 
can actually be a tangent to the Lyapunov function in the 
beginning of a time interval. Hence, if the conditions are 
strengthened, the abstraction will no longer be a sound ap- 
proximation of the control system. 

6. ILLUSTRATIVE EXAMPLE 

In this section, we apply the abstraction on a model of a 
unicycle given as 



(49) 



where x £ and it £ R^. The first coordinate xi is the 
position of the unicycle in the x-direction, X2 is the velocity 
of the unicycle in the x-direction, xs is the position of the 
unicycle in the j/-direction, and Xi is the velocity of the 
unicycle in the y-direction. The inputs are the acceleration 
in the a;-direction (ui) and the acceleration in the y-direction 
(112). The dynamics of this system is not complex contrary 
to the control objective is. The objective is to design a 
controller, ensuring that the system always reaches the goal 
set (green) from the initial set (blue), without hitting any of 
the obstacles (red), see Figure [s] 
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Figure 5: Track of the unicycle, given by initial set 
(blue), goal set (green), and obstacles (red). The 
gray lines are trajectories of the robot, controlled 
using the proposed strategy. 



The partition is conducted using four Lyapunov functions, 
which are not shown, as they are four-dimensional. 

A control law, given by a switched controller, is generated 
from the abstraction, where the switching is determined by 



the cell that the system is in. From this example, it is con- 
cluded that it is possible to generate control strategies from 
the proposed abstraction. However, it is not automatically 
generated, as the update maps introduced in this paper are 
not implemented in currently available verification tools. 

7. CONCLUSION 

In this paper, a method for abstracting control systems by 
timed games has been presented. The method is based on 
partitioning the state space of the systems by set-differences 
of sets that are positive or negative invariant for all admissi- 
ble controls. The timed games used in the abstraction have 
a more expressive update map than the update map usu- 
ally allowed for timed game automata. This makes it possi- 
ble to generate the proposed sound approximations, but has 
the consequence that no tools exists for automatic controller 
synthesis. 

To enable synthesis of a control strategy that ensures safety 
of the system, conditions for soundness have been set up. 
These conditions tell when a sound abstraction can be re- 
alized from a partition of a state space and a partition of 
the control. Finally, an example is provided to demonstrate 
that the formalism can be used to synthesize controllers that 
satisfy temporal specifications. 

8. REFERENCES 

[1] R. Alur, C. Courcoubetis, and D. Dill. Model-checking 
for real-time systems. In Logic m Computer Science, 
1990. Lies '90, Proceedings., Fifth Annual IEEE 
Symposium on, pages 414-425, jun. 1990. 

[2] R. Alur, T. Dang, and F. Ivancic. Progress on 

reachability analysis of hybrid systems using predicate 
abstraction. In Proceedings of Hybrid Systems: 
Computation and Control, pages 35-48, 2003. 

[3] E. Asarin, O. Maler, A. Pnueh, and J. Sifakis. 
Controller synthesis for timed automata. In Proc. 
IFAC Symp. System Structure and Control, pages 
469-474, 1998. 

[4] F. Cassez, A. David, E. Fleury, K. G. Larsen, and 
D. Lime. Efficient on-the-fly algorithms for the 
analysis of timed games. In CONCUR 05, LNCS 3653, 
pages 66-80. Springer, 2005. 

[5] F. Clarke, Y. Ledyaev, R. Stern, and P. Wolenski. 
Nonsmooth Analysis and Control Theory. Springer, 
1998. 

[6] A. David, K. G. Larsen, S. Li, and B. Nielsen. A 
game-theoretic approach to real-time system testing. 
In DATE, pages 486-491, Munich, Germany, March 
2008. 

[7] U. Fahrenberg, K. G. Larsen, and C. R. Thrane. 
Verification, performance analysis and controller 
synthesis for real-time systems. In FSEN, pages 34-61, 
2009. 

[8] G. E. Fainekos, A. Girard, and G. J. Pappas. 
Hierarchical synthesis of hybrid controllers from 
temporal logic specifications. In Hybrid Systems: 
Computation and Control, pages 203-216. Springer, 
2007. 

[9] A. Girard, G. Pola, and P. Tabuada. Approximately 
bisimilar symbolic models for incrementally stable 
switched systems. Automatic Control, IEEE 



Transactions on, 55(1):116 126, jan. 2010. 
[10] L. Habets and J. van Schuppen. Control to facet 

problems for afHne systems on simplices and polytopes 

- with applications to control of hybrid systems. In 

CDC-ECC '05, pages 4175-4180, dec. 2005. 
[11] J. Leth and R. Wisnicwski. On formalism and 

stability of switched systems. Submitted to Journal of 

Control Theory and Applications. 
[12] K. R. Meyer. Energy functions for morse smale 

systems. American Journal of Mathematics, 

90(4):1031-1040, 1968. 
[13] C. Sloth and R. Wisnicwski. Abstraction of continuous 

dynamical systems utilizing lyapunov functions. In 

Proceedings of the 49th IEEE Conference on Decision 

and Control, pages 3760-3765, Atlanta, Georgia, USA, 

December 2010. 
[14] C. Sloth and R. Wisnicwski. Proofs for an abstraction 

of continuous dynamical systems utilizing lyapunov 

functions. arXiv:1008.3222, 2010. 
[15] L. W. Tu. An Introduction to Manifolds. Springer, 

2008. 



